[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Dmitri Pal
dpal at redhat.com
Wed Feb 12 22:55:22 UTC 2014
On 02/12/2014 04:57 PM, Shree wrote:
> If there aren't any other tests to perform, can I go ahead and
> uninstall the ipa client and configure this Vm as a replica?
Thanks for trying. At least we know that certmonger can run by itself.
When you install replica please collect all the install logs.
Is SELinux on/off?
> Shreeraj
> ----------------------------------------------------------------------------------------
>
>
> Change is the only Constant !
>
>
> On Wednesday, February 12, 2014 1:40 PM, Shree
> <shreerajkarulkar at yahoo.com> wrote:
> "getcert list" returned a bunch of info, see below
>
> root at ldap2 ~]# getcert list
> Number of certificates and requests being tracked: 2.
> Request ID '20140206184920':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-retrieve-agent-submit
> issuer: CN=Certificate Authority,......................
> .............................
>
> Shreeraj
> ----------------------------------------------------------------------------------------
>
>
> Change is the only Constant !
>
>
> On Wednesday, February 12, 2014 12:43 PM, Dmitri Pal <dpal at redhat.com>
> wrote:
> On 02/12/2014 03:41 PM, Shree wrote:
>> So I uninstalled the ipa server and installed the client
>> (ipa-client-install) on the same VM pointing at the master and
>> everything seems to work OK. All the sudo rules etc. Are there any
>> tests I can do check connectivity that could be helpful before I
>> configure this as a "replica" again.
> Ask certmonger to get a certificate
>
>>
>> Shreeraj
>> ----------------------------------------------------------------------------------------
>>
>>
>> Change is the only Constant !
>>
>>
>> On Wednesday, February 12, 2014 11:46 AM, Dmitri Pal
>> <dpal at redhat.com> <mailto:dpal at redhat.com> wrote:
>> On 02/12/2014 02:09 PM, Shree wrote:
>>> Rob
>>> I really appreciate your help, please bear with me. At this point I
>>> need to take you back to my ipa-replica-install and what happened
>>> there.
>>>
>>> [1] My command: ipa-replica-install --setup-ca
>>> /var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck
>>> This ended with a
>>> Done configuring NTP daemon (ntpd).
>>> A CA is already configured on this system.
>>>
>>> [2] So did a pkiremove with the following command
>>> # pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force
>>>
>>> [3] Re ran the ipa-replica-install command in step 1
>>> The install went a little further but ended below.
>>>
>>> Configuring directory server for the CA (pkids): Estimated time 30
>>> seconds
>>> [1/3]: creating directory server user
>>> [2/3]: creating directory server instance
>>> [3/3]: restarting directory server
>>> Done configuring directory server for the CA (pkids).
>>> ipa : ERROR certmonger failed starting to track
>>> certificate: Command '/usr/bin/ipa-getcert start-tracking -d
>>> /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p
>>> /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C
>>> /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero
>>> exit status 1
>>> Configuring certificate server (pki-cad): Estimated time 3 minutes
>>> 30 seconds
>>> [1/17]: creating certificate server user
>>> [2/17]: creating pki-ca instance
>>> [3/17]: configuring certificate server instance
>>> ipa : CRITICAL failed to configure ca instance Command
>>> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
>>> .................
>>> ...........................
>>> Your system may be partly configured.
>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>
>>> Configuration of CA failed
>>>
>>> If I skip the "--setup-ca" option then the replica gets created
>>> without any CA services. The "master" and "replica" are in sync but
>>> I am unable to run a ipa-client-install using the replica. Now I
>>> need to fix this to get a replica in place correctly.
>>>
>>>
>>> Shreeraj
>>> ----------------------------------------------------------------------------------------
>>>
>>>
>>>
>>> On Wednesday, February 12, 2014 10:42 AM, Rob Crittenden
>>> <rcritten at redhat.com> <mailto:rcritten at redhat.com> wrote:
>>> Shree wrote:
>>> > OK I thought CA is a part of IPA ? Below is from my master IPA server
>>> >
>>> > [root at ldap <mailto:root at ldap> ~]# ipactl status
>>> > Directory Service: RUNNING
>>> > KDC Service: RUNNING
>>> > KPASSWD Service: RUNNING
>>> > MEMCACHE Service: RUNNING
>>> > HTTP Service: RUNNING
>>> > CA Service: RUNNING
>>> > [root at ldap <mailto:root at ldap> ~]#
>>> >
>>> > I can certainly send you a log if needed.
>>>
>>> It is part of IPA but the IPA server talks to it, not the clients
>>> directly.
>>>
>>> I can only speculate what the client is doing without seeing the log
>>> files, but I suspect both masters are in DNS and IPA is trying to
>>> enroll
>>> to the initial master which isn't available.
>>>
>>> rob
>>>
>>> > Shreeraj
>>> >
>>> ----------------------------------------------------------------------------------------
>>> >
>>> >
>>> > Change is the only Constant !
>>> >
>>> >
>>> > On Wednesday, February 12, 2014 10:32 AM, Rob Crittenden
>>> > <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>>> > Shree wrote:
>>> > > Peter
>>> > > Actually I mentioned earlier that my clients are in a separate
>>> VLAN and
>>> > > cannot access the master. We have made provisions for the master
>>> and the
>>> > > replica to sync by opening the needed ports in the firewall. We have
>>> > > also opened up ports between the clients and the replica. I have
>>> tested
>>> > > the connectivity for these ports.
>>> > > Perhaps you can tell me if what I am trying to achieve is even
>>> possible?
>>> > > i.e
>>> > > I seem to get stuck with making the replica with the "--setup-ca"
>>> > > option. Wthout that option I am able to create a replica and
>>> have it in
>>> > > sync with the master. However my ipa-client-install fails from
>>> clients
>>> > > as they try looking for the master for CA part of the install.
>>> >
>>> > Clients don't talk to the CA, they talk to an IPA server which
>>> talks to
>>> > the CA.
>>> >
>>> > I think we need to see /var/log/ipaclient-install.log to see what is
>>> > going on.
>>> >
>>> > rob
>>> >
>>> > > Shreeraj
>>> > >
>>> >
>>> ----------------------------------------------------------------------------------------
>>> > >
>>> > >
>>> > > Change is the only Constant !
>>> > >
>>> > >
>>> > > On Wednesday, February 12, 2014 12:45 AM, Petr Spacek
>>> > > <pspacek at redhat.com <mailto:pspacek at redhat.com>
>>> <mailto:pspacek at redhat.com <mailto:pspacek at redhat.com>>> wrote:
>>> > > On 11.2.2014 23:53, Shree wrote:
>>> > >
>>> > > > Following ports are opened between the
>>> > > > 1) Between the master and the replica (bi directional)
>>> > > > 2) client machine and the ipa replica (unidirectional).
>>> > > > When the replica was up it worked fine as far as syncing was
>>> > concerned.
>>> > > >
>>> > > > 80 tcp
>>> > > > 443 tcp
>>> > > > 389 tcp
>>> > > > 636 tcp
>>> > > > 88 tcp
>>> > > > 464 tcp
>>> > > > 88 udp
>>> > > > 464 udp
>>> > > > 123 udp
>>> > > >
>>> > > > Shreeraj
>>> > > >
>>> > >
>>> >
>>> ----------------------------------------------------------------------------------------
>>> > > >
>>> > > > Change is the only Constant !
>>> > > >
>>> > > >
>>> > > >
>>> > > > On Tuesday, February 11, 2014 2:22 PM, Dmitri Pal
>>> <dpal at redhat.com <mailto:dpal at redhat.com>
>>> > <mailto:dpal at redhat.com <mailto:dpal at redhat.com>>
>>> > > <mailto:dpal at redhat.com <mailto:dpal at redhat.com>
>>> <mailto:dpal at redhat.com <mailto:dpal at redhat.com>>>> wrote:
>>> > > >
>>> > > > On 02/11/2014 05:05 PM, Shree wrote:
>>> > > > Dimitri
>>> > > >> Sorry some the mail landed in my SPAM folder. Let answer your
>>> > > questions (thanks for your help man)
>>> > > > Please republish it on the list.
>>> > > > Do not reply to me directly.
>>> > > >
>>> > > > Did you set your first server with the CA? Does all ports that
>>> need
>>> > > > to be open in the firewall between primary or server are
>>> actually
>>> > > > open?
>>> > > >
>>> > > >
>>> > > >
>>> > > >>
>>> > > >> What I have done so far is uninstalled the replica and tried to
>>> > > install it again using the "--setup-ca" option. Previously I had
>>> > > failures and when I removed the "--setup-ca" option the installation
>>> > > succeeded (in a way). I understand now that I really need to fix
>>> the CA
>>> > > installation errors first.
>>> > > >>
>>> > > >>
>>> > > >> 1)The workaround helped me go forward a bit but I got stuck
>>> at this
>>> > > point see below
>>> > > >> ===========
>>> > > >> [1/3]: creating directory server user
>>> > > >> [2/3]: creating directory server instance
>>> > > >> [3/3]: restarting directory server
>>> > > >> Done configuring directory server for the CA (pkids).
>>> > > >> ipa : ERROR certmonger failed starting to track
>>> > > certificate: Command '/usr/bin/ipa-getcert start-tracking -d
>>> > > /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p
>>> > > /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C
>>> > > /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned
>>> non-zero exit
>>> > > status 1
>>> > > >> Configuring certificate server (pki-cad): Estimated time 3
>>> minutes
>>> > > 30 seconds
>>> > > >> [1/17]: creating certificate server user
>>> > > >> [2/17]: creating pki-ca instance
>>> > > >> [3/17]: configuring certificate server instance
>>> > > >> ipa : CRITICAL failed to configure ca instance Command
>>> > > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
>>> > > ldap2.macosforge.org -cs_port 9445 -client_certdb_dir
>>> /tmp/tmp-ipJSsT
>>> > > -client_certdb_pwd XXXXXXXX -preop_pin OlGXcjPVXoQcuuQkGgoG -
>>> > > >> ===========
>>> > > >> 2) No we do not use IPA for a DNS server.
>>> > > >>
>>> > > >>
>>> > > >> 3)The reason for this could be that I had installed the replica
>>> > > without the "--setup-ca".
>>> > > >>
>>> > > >> Shreeraj
>>> > > >>
>>> > >
>>> >
>>> ----------------------------------------------------------------------------------------
>>> > > >>
>>> > > >>
>>> > > >>
>>> > > >> Change is the only Constant !
>>> > > >>
>>> > > >>
>>> > > >>
>>> > > >> On Monday, February 10, 2014 12:43 PM, Dmitri Pal
>>> > <dpal at redhat.com <mailto:dpal at redhat.com> <mailto:dpal at redhat.com
>>> <mailto:dpal at redhat.com>>
>>> > > <mailto:dpal at redhat.com <mailto:dpal at redhat.com>
>>> <mailto:dpal at redhat.com <mailto:dpal at redhat.com>>>> wrote:
>>> > > >>
>>> > > >> On 02/09/2014 07:44 AM, Rob Crittenden wrote:
>>> > > >>> Shree wrote:
>>> > > >>>> Lukas
>>> > > >>>> Perhaps I should explain the design a bit and
>>> > > > see if FreeIPA even
>>> > > >>>> supports this.Our replica is in a separate
>>> > > > network and all the
>>> > > >>>> appropriate ports are opened between the master
>>> > > > and the replica. The
>>> > > >>>> "replica" got created successfully and is in
>>> > > > sync with the master
>>> > > >>>> (except the CA services which I mentioned
>>> > > > earlier)
>>> > > >>>> Now,when I try to run ipa-client-install on
>>> > > > hosts in the new network
>>> > > >>>> using the replica, it complains that about
>>> > > > "Cannot contact any KDC for
>>> > > >>>> realm".
>>> > > >>>> I am wondering it my hosts in the new network
>>> > > > are trying to access the
>>> > > >>>> "master" for certificates since the replica
>>> > > > does not have any CA
>>> > > >>>> services running? I couldn't find any obvious
>>> > > > proof of this even running
>>> > > >>>> the install in a debug mode. Do I need to open
>>> > > > ports between the new
>>> > > >>>> hosts and the master for CA services?
>>> > > >>>> At this point I cannot disable or move the
>>> > > > master, it needs to function
>>> > > >>>> in its location but I need
>>> > > >>>
>>> > > >>> No, the clients don't directly talk to the CA.
>>> > > >>>
>>> > > >>> You'd need to look in
>>> > > > /var/log/ipaclient-install.log to see what KDC
>>> > > >>> was found and we were trying to use. If you have
>>> > > > SRV records for both
>>> > > >>> but we try to contact the hidden master this will
>>> > > > happen. You can try
>>> > > >>> specifying the server on the command-line with
>>> > > > --server but this will
>>> > > >>> be hardcoding things and make it less flexible
>>> > > > later.
>>> > > >>>
>>> > > >>> rob
>>> > > >>>
>>> > > >>>> Shreeraj
>>> > > >>>>
>>> > > >
>>> > >
>>> >
>>> ----------------------------------------------------------------------------------------
>>> > > >>>>
>>> > > >>>>
>>> > > >>>>
>>> > > >>>> Change is the only Constant !
>>> > > >>>>
>>> > > >>>>
>>> > > >>>> On Saturday, February 8, 2014 1:29 AM, Lukas
>>> > > > Slebodnik
>>> > > >>>> <lslebodn at redhat.com <mailto:lslebodn at redhat.com>
>>> <mailto:lslebodn at redhat.com <mailto:lslebodn at redhat.com>>
>>> > <mailto:lslebodn at redhat.com <mailto:lslebodn at redhat.com>
>>> <mailto:lslebodn at redhat.com <mailto:lslebodn at redhat.com>>>> wrote:
>>> > > >>>> On (06/02/14 18:33), Shree wrote:
>>> > > >>>>
>>> > > >>>>> First of all, the ipa-replica-install did
>>> > > > not allow me to use
>>> > > >>>> the --setup-ca
>>> > > >>>>> option complaining that a cert already
>>> > > > exists, replicate creation was
>>> > > >>>>> successful after I skipped the option.
>>> > > >>>>> Seems like the replica is one except
>>> > > >>>>> 1) There is no CA Service running on the
>>> > > > replica (which I guess is
>>> > > >>>> expected)
>>> > > >>>>> and
>>> > > >>>>> 2) I am unable to run ipa-client-install
>>> > > > successfully on any clients
>>> > > >>>> using
>>> > > >>>>> the replica. (I don't have the option of
>>> > > > using the primary master as
>>> > > >>>> it is
>>> > > >>>>> configured in a segregated environment.
>>> > > > Only the master and replica
>>> > > >>>> are
>>> > > >>>>> allowed to sync.
>>> > > >>>>> Debug shows it fails at
>>> > > >>>>>
>>> > > >>>>> ipa : DEBUG stderr=kinit: Cannot
>>> > > > contact any KDC for realm
>>> > > >>>> 'mydomainname.com' while getting initial
>>> > > > credentials
>>> > > >>>>
>>> > > >>>>>
>>> > > >>>>>
>>> > > >>>>
>>> > > >>>> I was not able to install replica witch CA on
>>> > > > fedora 20,
>>> > > >>>> Bug is already reported https://fedorahosted.org/pki/ticket/816
>>> > > >>>>
>>> > > >>>> Guys from dogtag found a workaround
>>> > > >>>> https://fedorahosted.org/pki/ticket/816#comment:12
>>> > > >>>>
>>> > > >>>> Does it work for you?
>>> > > >>>>
>>> > > >>>> LS
>>> > > >>>>
>>> > > >>>>
>>> > > >>>>
>>> > > >>>>
>>> > > >>>>
>>> > > >>>> _______________________________________________
>>> > > >>>> Freeipa-users mailing list
>>> > > >>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>
>>> > <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>>
>>> > > >>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> > > >>>>
>>> > > >>>
>>> > > >>> _______________________________________________
>>> > > >>> Freeipa-users mailing list
>>> > > >>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>
>>> > <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>>
>>> >
>>> > > >>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> > > >>
>>> > > >> What server provides DNS capabilities to the clients?
>>> > > >> Do you use IPA DNS or some other DNS?
>>> > > >> Clients seem to not be able to see replica KDC and try
>>> > > > to access hidden
>>> > > >> master but they can know about this master only via DNS.
>>> > >
>>> > >
>>> > > Shree, make sure that command
>>> > > $ dig -t SRV _kerberos._udp.ipa.example
>>> > > on the client returns both IPA servers (in ANSWER section).
>>> > >
>>> > > --
>>> > > Petr^2 Spacek
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > _______________________________________________
>>> > > Freeipa-users mailing list
>>> > > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>
>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users
>>> > >
>>> >
>>> >
>>> >
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> I suggest that you temporarily try to install a client in place of
>> the replica and see why it does not install.
>> The log above suggests that certmonger that is a part of the replica
>> fails to connect to the first master. We need to understand the
>> reason why it fails. Then we would be able to make your replica be a CA.
>> I suspect that CA related communication between replica and master is
>> not going through for some reasons.
>> The install log would be really helpful.
>> Please see
>> http://www.freeipa.org/page/Troubleshooting to collect the right logs.
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140212/5d2f9aec/attachment.htm>
More information about the Freeipa-users
mailing list